SecuriTeam - Microsoft SQL Server Restore Integer Underflow Vulnerability (MS08-040)

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

SQL Server is "Microsoft's database server product. It supports the restoration and inspection of backups via SQL statements". Remote exploitation of an integer underflow vulnerability within Microsoft Corp.'s SQL Server could allow a remote attacker to execute arbitrary code with the privileges of the SQL Server.

Credit:
The information has been provided by iDefense.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=723

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* Microsoft SQL Server 2005 Service Pack 2 Hot Fix 4
* Microsoft SQL Server 2005 (no patches)

The vulnerability exists within the code responsible for parsing a stored backup file. A 32-bit integer value, representing the size of a record, is taken from the file and used to calculate the number of bytes to read into a heap buffer. This calculation can underflow, which leads to insufficient memory being allocated. The buffer is subsequently overfilled leading to an exploitable condition.

Analysis:
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the SQL Server. SQL Server 2005 runs under the "NETWORK SERVICE" account, which is similar to an unprivileged user account.

The target function can be run by any user with access to query the database. This attack could also be conducted anonymously through a Web application if it contained an SQL Injection vulnerability.

For the server to load the corrupted backup file, an attacker would have to supply a path to a remote file using either SMB or WebDAV.

Workaround:
iDefense is currently unaware of any direct workaround for this issue. Administrators can disable SMB and WebDAV support on affected SQL Servers to prevent access to remote files.

Vendor response:
Microsoft has officially addressed this vulnerability with Security Bulletin MS08-040. For more information, consult their bulletin at the following URL.
http://www.microsoft.com/technet/security/bulletin/ms08-040.mspx

CVE Information:
CVE-2008-0107

Disclosure timeline:
12/06/2007 Initial vendor notification
12/06/2007 Initial vendor response
07/08/2008 Coordinated public disclosure

	Microsoft Indeo Codec Memory Corruption Vulnerability
	HP DDMI Execution of Arbitrary Code
	Microsoft Windows License Logging Service Heap Corruption Vulnerability
	Microsoft Office Excel Code Execution Vulnerabilities
	Microsoft SharePoint 2007 ASP.NET Source Code Disclosure
	Microsoft Windows Local Security Authority Integer Overflow Vulnerability
	Windows Kernel Multiple Vulnerabilities
	Microsoft Windows ActiveX Indexing Service Memory Corruption Vulnerability
	Microsoft IIS FTP Service Code Execution and DoS Vulnerability
	Microsoft GDI+ Multiple Vulnerabilities
	Microsoft .NET Common Language Runtime Multiple Vulnereabilities
	Microsoft Active Template Library ActiveX Controls Multiple Vulnerabilities
	ActiveX Active Template Library Initialization Vulnerability
	Internet Explorer Multiple Remote Code Execution Vulnerabilities
	Windows Media Player ASF File Remote Code Execution